In March 2022, Gartner predicted that by 2025, 45% of organisations worldwide would have experienced attacks on their software supply chains, a threefold increase from 2021. By some accounts, that prediction may have been conservative. In 2024, Data Theorem commissioned a study that revealed that 91% of the 350 respondents in North America experienced a software supply chain incident over a 12-month period.
Asia may be even more vulnerable given the low levels of technology practice maturity, particularly in some markets. The growing complexity of software dependencies—especially in an era marked by high-profile breaches like SolarWinds—has raised alarms about the vulnerabilities inherent in modern enterprise applications.
The World Economic Forum (WEF) highlights that as businesses increasingly depend on third-party software suppliers and open-source solutions, they confront significant hurdles in ensuring the security and integrity of their software ecosystems.
Jennifer Cheng, director of Cybersecurity Strategy for APJ at Proofpoint, underscores this urgency, stating, "The reliance on technology to replace human processes has introduced new vulnerabilities."
Key cybersecurity threats
The Data Theorem study revealed that the most common security incidents over the survey period were zero-day exploits on vulnerabilities within third-party code (41%). Vulnerability exploits in open-source software and container images and secrets/tokens/passwords stolen from source code repositories came in very close at 40% and 37%, respectively. API data breaches in third-party software and code were not far off at 37%.
According to Proofpoint's Cheng, Asia has not escaped the trends, citing the three most significant cybersecurity threats Asia's supply chain faced:
Impersonation and vendor compromise: Recent incidents reveal the devastating impact of compromised software dependencies. The SolarWinds breach, which affected over 30,000 organisations, including U.S. government agencies, exemplifies the catastrophic potential of such vulnerabilities. Attackers embedded malicious code into updates sent globally, resulting in an average revenue loss of 11% for affected companies.
As Cheng explains, tackers exploit trusted business relationships through impersonation or compromised supplier accounts. This underscores the need for heightened vigilance in managing vendor relationships.
Software vulnerabilities exploited: The landscape of software supply chains is fraught with risks from unpatched vulnerabilities and malicious code. WEF cyber resilience specialist Luna Rohland comments, "Modern software applications are rarely built entirely from custom code; they integrate a mix of open-source components, APIs, libraries, and configurations."
This complexity reduces direct control over software environments and introduces new security vulnerabilities. Phishing campaigns leveraging legitimate software tools have increased significantly, with attackers finding innovative ways to exploit these dependencies.
Sensitive data loss risks: Intertwining business relationships can lead to unexpected vulnerabilities. Research shows that individuals are three times more likely to click on phishing links from trusted suppliers.
"The reality is that business interactions often blur the line between necessary and excessive information sharing, leading many to share sensitive information, creating opportunities for attackers unknowingly." Jennifer Cheng
Evaluating the cybersecurity posture of software suppliers
Organisations need to make an effort to know their suppliers if there is any lesson to be gained from the financial services industry. According to the U.S. National Institute of Standards and Technology, organisations are concerned about the risks associated with products and services that may contain malicious functionality, are counterfeit, or are vulnerable due to poor manufacturing and development practices within the supply chain.
"These risks are associated with an enterprise's decreased visibility into and understanding of how the technology they acquire is developed, integrated, and deployed or the processes, procedures, standards, and practices used to ensure the security, resilience, reliability, safety, integrity, and quality of the products and services." NIST, May 2022
For her part, Cheng lists two recommendations when evaluating software suppliers:
Comprehensive assessments required: To safeguard against these risks, organisations must adopt a holistic approach to assessing the cybersecurity posture of their suppliers.
"Leaders must start with internal visibility—understanding how their employees and systems transact within the organisation," Cheng advises.
AI-powered tools that monitor communication patterns and data exchanges are essential for detecting early signs of compromise.
Underutilised email protections: Despite the risks, critical protections like DMARC, DKIM, and SPF are underutilised in the APAC region. Cheng highlights that only 46.2% of Singaporean firms have set DMARC to 'reject', signalling a critical gap in email security that attackers could exploit.
Securing software supply chains in a digital world
The early days of the pandemic and the accelerated efforts to digitalise revealed vulnerabilities across most processes. While awareness of supply chain security has improved since then, significant vulnerabilities remain.
"Cyberattacks continue to exploit human error and legitimate technologies," Cheng notes, indicating that organisations must balance technology adoption with securing human-driven transactions.
Enhancing resilience through technology
The Microsoft-CrowdStrike IT Outage on 24 July 2024 highlighted the disruptive potential of supply chain incidents. But that was not the first, nor should we expect it to be the last. Cheng says the reliance on technology to replace human processes has introduced new vulnerabilities, and many organisations have not sufficiently invested in securing these systems.
"They struggle to adapt to evolving threats, particularly in securing human interactions and ensuring robust protection across their supply chains," she comments.
So, what to do?
Prioritise authentication measures: Organisations can bolster software supply chain resilience by prioritising the authentication of business communications. Cheng asserts, "Email authentication technologies can prevent impersonation and spoofing," yet many Asian organisations are still not taking adequate preventive measures.
AI solutions to the rescue: AI-powered tools can enhance email security and monitor internal interactions, helping prevent inadvertent data exposure. The WEF's Global Cybersecurity Outlook 2025 report reveals a 119% increase in daily URL-based threats, further emphasising the need for vigilance in software supply chains.
Beyond traditional training: CISOs must move past conventional security training, focusing on fostering real-time decision-making among employees.
Cheng believes a human-centric approach is key: "Identifying who in the organisation is most vulnerable, understanding privileged access risks, and addressing gaps in supplier relationships."
Balancing cost and security investments
IDC's latest forecasts suggest global security spending will grow by 12.2% in 2025. The company says the increased investments in security will aim to address security gaps and protect assets and processes as digital transformation further accelerates.
Despite the increased spending, the reality is that budgets are not unlimited. Faced with the reality of a limit to what is possible, Cheng says organisations must manage costs while ensuring robust cybersecurity. To do so, they should align their investments with risk tolerance and operational priorities.
"Cybersecurity is an investment in trust, both for customers and suppliers. Balancing costs requires aligning investments with organisational risk tolerance and operational priorities." Jennifer Cheng
Crafting a compelling risk narrative
CISOs should present a human-centric risk narrative that resonates with business leaders, framing cybersecurity as an essential investment in operational resilience. "Present a human-centric risk story that resonates with business leaders," Cheng advises, stressing the need to demonstrate the tangible value of robust security measures.
J.P.Morgan's top cybersecurity trends in the 2025 blog post states that businesses rely heavily on vendors and suppliers in today's interconnected world, which introduces cybersecurity risks. It warns that threat actors target vulnerabilities in supply chains, especially those with weaker security measures, to access sensitive information and concludes that these vulnerabilities can lead to data breaches, service disruptions, and reputational harm.
Much like the phygital supply chains that we have today, our software today – business applications, monitoring and management tools, or even those that connect our systems within and outside the environment – are all potential targets for threat actors.
We've all heard the advice from experts: a proactive and strategic approach to cybersecurity is crucial. By leveraging technology effectively and aligning investments with organisational priorities, they can navigate this complex landscape successfully.
And if you think artificial intelligence may be the panacea to solving any potential software supply chain vulnerability, think again.
As noted by the WEF, AI technologies' transformative potential brings both risks and opportunities, underscoring the urgent need for a security-first mindset to safeguard against vulnerabilities in an interconnected digital world.